Considerations for SSO Users
Considerations for users logged in to the system using SSO Identity Providers.
- When integrating with SSO Identity Provider XTAM expects integration with Active Directory that syncs with SSO IdP independently. XTAM uses SSO IdP for authentication (including MFA) and login authorization (following SSO IdP rules). XTAM uses AD to resolve group membership when permissions or workflow activities are granted to AD groups.
- All proxies that allow users to connect using native clients authenticate using Active Directory and XTAM managed MFA (TOTP, Duo, Radius or even XTAM native one).
- Some of the proxies (RDP, SQL but not SSH or WEB Sessions) require password hash stored in XTAM. It is done automatically when users login to XTAM directly. However, for SSO login when XTAM does not know user passwords the only way to support this option is to let XTAM to know the password (there is button Re-Enable RDP Proxy in the Properties of the user profile).
- For pass-through access ($login in the user field) both proxy and WEB access pass the user password entered on the login form to the upstream endpoint. With SSO login, XTAM does not know the user password so it cannot pass it through to the endpoint server. The solution is to Re-Enable RDP Proxy in the Properties of the user profile. When password is changed, it should be Re-Enabled again using the same strategy.